Re: About PGP Signing a File.
- From: "Joel Bryan Juliano" <joelbryan.juliano@xxxxxxxxx>
- Date: Sun, 11 Feb 2007 17:59:07 +0800
On 2/11/07, Jeffrey F. Bloss <jbloss@xxxxxxxxxxxxxxx> wrote:
Joel Bryan Juliano wrote:
Hi,
I have a question regarding signing a file or binary, I installed
Seahorse which is really awesome tool! And it has a nautilus-extension
that easily Encrypt and Sign a file or directory by right-clicking the
file. Can someone please tell me the use of signing a binary file or
directory? I know it's important, but I really don't get it.
The purpose of a digital signature is primarily to guarantee the
integrity of the signed file. To assure the person who checks the
signature against the file that the original hasn't been tampered with
in any way. So any place you need to guarantee file integrity you can
use a gpg signature.
In a public setting the benefits are obvious. All your Ubuntu software
installs and system updates should be using digital signatures to
verify their integrity, for example.
In a private setting the usefulness isn't quite so obvious, but if you
have a copy of your will or any other legal documents on your machine
for example, it's a good idea to sign them. There's also time stamping
services available which will stamp your signature with one of
their own and make that "sub-signature" public, irrefutably proving a
time line. Precautions that might prevent some shady cousin on your
wife's side from cutting out your kids and writing himself in for
your billions. ;)
I've also used digital signatures to monitor changes in critical system
files and logs. Not so much in modern times because there's simpler,
easier ways to do what I use to do with signatures, but it is one
potential application.
In fact, if you run something like a modern version of rkhunter I
believe you have the option of using some of the very same hashing
schemes gpg uses in its digital signatures to verify the integrity of
the files it keeps track of. Most of your /sbin directory for
example. And there use to be a very excellent piece of antivirus
software floating around called "Integrity Master" which used
(proprietary?) cryptographic signatures to verify executables on DOS
boxes. So the usefulness of "local" signatures isn't as broad and
visible as the more common signed message or software update
application, but it still exists for a lot of people.
Thanks for all of your awesome reply! This is a very valuable
information I learned about PGP Signing and the benefits of it, which
is really really interesting! I have a PGP key that I registered a
year ago and It's really handy for creating debian packages for
experimental (or as I call my kind of fun) purposes.
Again, PGP is very very valuable, it's really amazing we have
something like this!
One more thing, do we need to have a key (i.e. ~/.gnupg/*) in order to
verify the signed file or binary?
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
--
Carpe Diem
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- Follow-Ups:
- Re: About PGP Signing a File.
- From: Jeffrey F. Bloss
- Re: About PGP Signing a File.
- References:
- About PGP Signing a File.
- From: Joel Bryan Juliano
- Re: About PGP Signing a File.
- From: Jeffrey F. Bloss
- About PGP Signing a File.
- Prev by Date: Re: About PGP Signing a File.
- Next by Date: Re: About PGP Signing a File.
- Previous by thread: Re: About PGP Signing a File.
- Next by thread: Re: About PGP Signing a File.
- Index(es):
Relevant Pages
|
